The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites.
The remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography.
Researchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware’s targeting of various organizations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim.
“This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” said Asheer Malhotra, researcher with Cisco Talos, on Tuesday. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.”
What is the ObliqueRAT Malware?
The known activity for ObliqueRAT dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an initial infection vector. Generally the infection chain uses an initial executable, which acts as a dropper for ObliqueRAT itself.
Once it infected systems, ObliqueRAT exfiltrates various information, including system data, a list of drives and a list of running processes.
ObliqueRAT Malware Evolution
The newly discovered ObliqueRAT attack chain was part of a campaign that started in May last year – but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP).
The image files contain both legitimate image data and malicious executable bytes concealed in the image data, said researchers. Threatpost has reached out to Cisco Talos for further information on the compromised websites and the images used as part of the attack.
This is a well-known tactic used by threat actors, called steganography. Attackers hide malware in image files as a way to circumvent detection. That’s because many filters and gateways let image file formats pass without too much scrutiny.
The initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.
There are slight variations that have been seen in real-world attacks. One instance of a malicious document that researchers found “uses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a .ZIP file that contains ObliqueRAT payload,” said Malhotra. “The malicious macros are responsible for extracting the .ZIP and subsequently the ObliqueRAT payload on the endpoint.”
During the course of their investigation, researchers also discovered three previously used but never-before-seen payloads for ObliqueRAT, which showed how the malware authors have made changes over time. For instance, one of the versions created in September added new file enumeration and stealing capabilities, as well as expanded the payload’s functionalities to include the ability to take webcam and desktop screenshots and recordings.
ObliqueRAT: Hiding From Detection, Improved Persistence
This updated payload delivery technique gives attackers a leg up in sidestepping detection, said researchers.
“It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns,” they said. “The usage of compromised websites is another attempt at detection evasion.”
The macros also have adopted a new tactic for achieving reboot persistence for the ObliqueRAT payloads. This is accomplished by creating a shortcut (.URL file extension) in the infected user’s Startup directory, said researchers. Once the computer reboots, the payloads will then still be able to run.
RevengeRAT: Researchers Link With ‘Low Confidence’
Researchers said that they observed overlaps in the command-and-control (C2) server infrastructure between ObliqueRAT and a RevengeRAT campaign. However, they only made the connection with “low confidence” due to lack of any other more substantial evidence.
Previously, researchers also made links between ObliqueRAT and Crimson RAT. The functionalities of Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting antivirus software information, and listing the running processes, drives and directories from victim machines. Researchers said that the two RATs shared “similar maldocs and macros” in previous ObliqueRAT campaigns.
“This malware has links to the Transparent Tribe group that has historically targeted entities in South Asia,” Malhotra told Threatpost. “As is the case with most suspected APT campaigns, this campaign is also low volume. A low-volume campaign has better chances of remaining undiscovered for longer periods of time thus increasing the chances of success for the attackers.”